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IN THE CLAIMS 



1 . (Currently Amended) In a first node of a physical network supporting multiple 
virtual network connections, a method to dynamically modify configuration data 
supporting virtual networks, the method comprising: 

receiving i) destination network address information associated with at 
least one host computer, and ii) a corresponding gateway identifier of a gateway 
in the physical network, jhe gatew 
Qg|workjhjx)ugh,whjch,ih 

generating a notification message including the destination network 
address information and the corresponding gateway identifier; and 

transmitting the notification message to a second node of the physical 
network enabling the second node to creaM.a.mai)D;ng.beMe en.the atjeast.one 
Mst,CQmpujer .god „&s&*&ti#» a virtual network connection between the second 
node and the first node on which to forward data messages from the second 
node through the gateway to the at least one host computer based on identifying, 
as .specified by the mapping, that the data messages having the destination 
network address information are to be mapped to and sent over the virtual 
network connection to the at least one host computer through the gateway as 
specif led.. by the corresponding gateway identifier. 

2. (Currently Amended) A method as in claim 1 , wherein generating a notification 
message further comprises: 

generating at least a portion of the notification message in accordance 
with a distribution protocol utilized by service providers to disseminate routing 
policy information to customer edge nodes; and 

wherein transmitting a notification message includes: 
transmitting the destination network address information and the 
corresponding gateway identifier as an appendix to the notification message. 
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3. (Original) A method as in claim 2, wherein the distribution protocol is based at 
least in part on an interautonomous system routing protocol and the virtual 
network connection between the second node and the first node is a virtual 
private network connection overlaid on the physical network, one end of the 
virtual private network connection terminating at the gateway identified by the 
corresponding gateway identifier. 

4. (Currently Amended) A method as in claim 1 further comprising: 

transmitting routing policy attribute information in addition to the 
^stinatjorLnetwork address information and corresponding gateway identifier to 
the second node to more particularly define a policy for routing the data 
messages on a corresponding virtual network connection through the gateway to 
the at least one host computer. 

5. (Original) A method as in claim 1 , wherein the first and the second nodes are 
part of a network that does not inherently support encryption services and 
configuration data at the second node at least partially supports encryption of 
data messages forwarded to the at least one host computer through the gateway 
identified by the corresponding gateway identifier. 

6. (Original) A method as in claim 1 , wherein transmitting the network address and 
identifier includes: 

delivering the notification message including the network address and 
corresponding gateway identifier to multiple customer edge nodes of the physical 
network, each customer edge node updating its corresponding configuration data 
for establishing private networks between the customer edge nodes based on the 
network address and corresponding gateway identifier. 
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7. (Original) A method as in claim 1 , wherein the first and second nodes are 
customer edge nodes in a network and the network supports virtual private 
networks terminating at the customer edge nodes. 

8. (Currently Amended) A method as in claim 1 , wherein the destination network 
address information identifies a single host computer. 

9. (Currently Amended) A method as in claim 1 , wherein the destination network 
address information identifies a range of host computers that are part of a 
network coupled to the first node. 

10. (Original) A method as in claim 1 , wherein the corresponding gateway identifier 
is an IPsec identity associated with the at least one host computer. 

1 1 . (Currently Amended) A computer system at a first node of a physical network 
that at least partially supports a virtual network connection, the computer system 
comprising: 

a processor; 

a memory unit that stores instructions associated with an application 
executed by the processor; 

a communication interface that supports communication with other nodes 
of the physical network; and 

an interconnect coupling the processor, the memory unit, and the 
communication interface, enabling the computer system to execute the 
application and perform operations of: 

receiving i) destination, network address information associated with 

at least one host computer, and ii) a corresponding gateway identifier of a 

gateway in the physical network; 

generating a notification message including the destination network 

address information and the corresponding gateway identifier; and 
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transmitting the notification message including the destination 

second node of the physical network enabling the second node to 
establish a virtual network connection between the second node and the 
first node on which to forward data messages to the at least one host 
computer based on the corresponding gateway identifier. 



12. (Currently Amended) A computer system as in claim 1 1 that, when generating a 
notification message and respectively transmitting a notification message, further 
performs operations of: 

generating at least a portion of the notification message in accordance 
with a distribution protocol utilized by service providers to disseminate routing 
policy information to customer edge nodes; and 

transmitting the destination network address information and the 
corresponding gateway identifier as an appendix to the notification message. 

13. (Original) A computer system as in claim 12, wherein the distribution protocol is 
based at least in part on an interautonomous system routing protocol and the 
virtual network connection between the second node and the first node is a 
virtual private network connection overlaid on the physical network, one end of 
the virtual private network connection terminating at the gateway identified by the 
corresponding gateway identifier. 



14. (Currently Amended) A computer system as in claim 1 1 that further performs an 
operation of: 

transmitting routing policy attribute information in addition to the 
destination network address information and corresponding gateway identifier to 
the second node to more particularly define a policy for routing the data 
messages on a corresponding virtual network connection through the gateway to 
the at least one host computer. 
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1 5. (Original) A computer system as in claim 1 1 , wherein the first and the second 
nodes are part of a network that does not inherently support encryption services 
and configuration data at the second node at least partially supports encryption 
of data messages forwarded to at least one host computer through the gateway 
identified by the corresponding gateway identifier. 

16. (Original) A computer system as in claim 1 1 that, when transmitting the network 
address and identifier, further performs operations of : 

delivering the notification message including the network address and 
corresponding gateway identifier to multiple customer edge nodes of the physical 
network, each customer edge node updating its corresponding configuration data 
for establishing private networks between the customer edge nodes based on the 
network address and corresponding gateway identifier. 

1 7. (Original) A computer system as in claim 1 1 , wherein the first and second nodes 
are customer edge nodes in a network configured according to Request For 
Comment 2547 and the network supports virtual private networks terminating at 
the customer edge nodes. 

18. (Currently Amended) A computer system as in claim 1 1 , wherein the destination 
network address information identifies a single host computer coj}fjguredJo 
receiyejdjitaj]^ 

through the first node from the second node. 

1 9. (Currently Amended) A computer system as in claim 1 1 , wherein the destination 
network address information identifies a range of host computers that are part of 
a network coupled to the first node. 
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20. (Original) A computer system as in claim 1 1 , wherein the corresponding gateway 
identifier is a network address of the at least one host computer. 
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21 . (Currently Amended) In a receiving node of a physical network supporting 
multiple virtual network connections, a method to dynamically modify 
configuration data associated with at least one of the multiple virtual network 
connections, the method comprising: 

receiving a notification message from a sending node of the physical 
network, the notification message including destination network address 
information and a corresponding gateway identifier of a gateway of the physical 
network; 

based on contents of the notification message, modifying a map at the 
receiving node to include the destination network address information, the 
corresponding gateway identifier, and configuration data identifying at least part 
of a virtual network connection between the receiving node and the sending node 
on which to forward data messages through the gateway to a destination node as 
specified by the destination network address information: and 

upon forwarding data messages through the receiving node, utilizing the 
map to identify on which virtual network to forward the data messages from, the, 
receiving node through the gateway to the destination node based on the 
destination network address information associated with the destination node to 
whjcjiJIjed^ 

22. (Canceled) 

23. (Currently amended) A method as in claim 21 further comprising: 

at the receiving node including the map, receiving a data message to be 
forwarded based on a corresponding destination address; 

comparing the destination address and a source address of the data 
message to destination network address information stored in the map; 

identifying, based on the destination address, how to transmit the data 
message to the destination node based on a corresponding virtual network 
connection specified in the map. 
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24. (Currently Amended) A method as in claim 23 further comprising: 

in response to identifying that the destination address of the data message 
matches destination network address information in the map, establishing the 
corresponding virtual network connection specified in the map on which to 
transmit the data message to the destination node. 

25. (Original) A method as in claim 24, wherein establishing a virtual network 
connection includes establishing a virtual private network connection between 
the receiving node and sending node based on IKE (Internet Key Exchange) 
protocol and Ipsec (Internet Protocol Security). 

26. (Currently Amended) A method as in claim 23 further comprising: 

in response to identifying that the destination address of the data message 
matches destination network address information in the map, identifying whether 
a corresponding virtual network connection specified in the map has been 
established and, if so, transmitting the data message on the established virtual 
network connection to the destination node. 

27. (Currently Amended) A method as in claim 21 , wherein the destination network 
address information identifies a single host computer. 

28. (Currently Amended) A method as in claim 21 , wherein the destination network 
address information identifies a range of host computers that are part of a 
network coupled to the first node. 



29. 



(Original) A method as in claim 21, wherein the corresponding gateway identifier 
is an IPsec identity associated with the at least one host computer. 
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30. (Original) A method as in claim 21, wherein the gateway is located in the 
sending node. 



31 . (Currently Amended) A computer system at a receiving node of a physical 

network that at least partially supports a virtual network connection, the computer 
system comprising: 
a processor; 

a memory unit that stores instructions associated with an application 

executed by the processor; 

a communication interface that supports communication with other nodes 

of the physical network; and 

an interconnect coupling the processor, the memory unit, and the 

communication interface, enabling the computer system to execute the 

application and perform operations of: 

receiving a notification message from a sending node of the 
physical network, the notification message including destination network 
address information of a destination node a nd a corresponding gateway 
identifier of a gateway of the physical network; 

based on contents of the notification message, modifying a map at 
the receiving node to include the destination network address information, 
the corresponding gateway identifier, and configuration data identifying at 
least part of a virtual network connection between the receiving node and 
the sending node on which to forward data messages through the 
gateway to the a destination node as specified bv the destination network 
addMSS,informatjgn ; and 

utilizing the map to identify on which of multiple v irtual network 
connections f^eiwefk to forward the data messages from the receiving 
node t hrough the gateway to the destination node based on the 
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0Q<Mi®Jftdli^^ support forwarding of 

data messages through the receiving node. 

32. (Canceled) 

33. (Currently Amended) A computer system as in claim 31 that further performs 
operations of : 

at the receiving node including the map, receiving a data message to be 
forwarded based on a corresponding destination address; 

comparing the destination address and a source address of the data 
message to destination network address information stored in the map; 

identifying, based on the destination address, how to transmit the data 
message to the destination node based on a corresponding virtual network 
connection specified in the map. 

34. (Currently Amended ) A computer system as in claim 33 that further performs 
operations of: 

in response to identifying that the destination address of the data message 
matches destination network address information in the map, establishing the 
corresponding virtual network connection specified in the map on which to 
transmit the data message to the destination node. 

35. (Original) A computer system as in claim 34, wherein establishing a virtual 
network connection includes establishing a virtual private network connection 
between the receiving node and sending node based on IKE (Internet Key 
Exchange) protocol and Ipsec (Internet Protocol Security). 



36. ( Currently Amended) A computer system as in claim 33 that further performs 
operations of: 
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in response to identifying that the destination address of the data message 
matches destination network address information in the map, identifying whether 
a corresponding virtual network connection specified in the map has been 
established and, if so, transmitting the data message on the established virtual 
network connection to the destination node. 

37. (Currently Amended) A computer system as in claim 31 , wherein the destination 
network address information identifies a single host computer. 

38. (Currently Amended) A computer system as in claim 31 , wherein the destination 
network address information identifies a range of host computers that are part of 
a network coupled to the first node. 

39. (Original) A computer system as in claim 31 , wherein the corresponding gateway 
identifier is a network address of the at least one host computer. 

40. (Original) A computer system as in claim 31 , wherein the gateway is located in 
the sending node. 

41 . (Currently Amended) A computer program product including a computer- 
readable medium having instructions stored thereon for processing data 
information, such that the instructions, when carried out by a processing device, 
enable the processing device to perform the steps of: 

receiving i) destination network address information associated with at 
least one host computer, and ii) a corresponding gateway identifier of a gateway 
in the physical network; 

generating a notification message including the destination network 
address information and the corresponding gateway identifier; and 

transmitting the notification message to a second node of the physical 
network enabling the second node to establish a virtual network connection 
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between the second node and the first node on which to forward data messages 
to the at least one host computer based on amagpjng,assod^^^ 

corresponding gateway identifier. 

42. (Currently Amended) A computer system at a first node of a physical network 
that at least partially supports a virtual network connection, the computer system 
comprising: 

means for receiving i) destination network address information associated 
with at least one host computer, and ii) a corresponding gateway identifier of a 
gateway in the physical network; 

means for generating a notification message including the desiinaiign 
network address information and the corresponding gateway identifier; and 

means for transmitting the notification message to a second node of the 
physical network enabling the second node to establish a virtual network 
connection between the second node and the first node on which to forward data 
messages to the at least one host computer based on a JIMMQSL J^^ciation 
between. the. destination network .address..sn fprmat.ion. and the correspond ing 
gateway identifier. 

43. (Currently Amended) A computer program product including a computer- 
readable medium having instructions stored thereon for processing data 
information, such that the instructions, when carried out by a processing device, 
enable the processing device to perform the steps of: 

receiving a notification message from a sending node of the physical 
network, the notification message including destination network address 
information and a corresponding gateway identifier of a gateway of the physical 
network; 

based on contents of the notification message, modifying a map at the 
receiving node to include the destination network address information, the 
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corresponding gateway identifier, and configuration data identifying at least part 
of a virtual network connection between the receiving node and the sending node 
on which to forward data messages through the gateway to a destination node as 

specified by the destination network address information; and 

utilizing the map to identify on which virtual network to forward the data 
messages through the gateway to the destination node based on the destination 
D.etwoxk addjes^^ 

data messages are directed t o support forwarding of data messages through the 
receiving node. 

44. (Currently Amended) A computer system at a receiving node of a physical 

network that at least partially supports a virtual network connection, the computer 
system comprising: 

means for receiving a notification message from a sending node of the 
physical network, the notification message including destination network address 
information and a corresponding gateway identifier of a gateway of the physical 
network; and 

means for modifying a map at the receiving node to include the destination 
network address information, the corresponding gateway identifier, and 
configuration data identifying at least part of a virtual network connection 
between the receiving node and the sending node on which to forward data 
messages through the gateway to a destination node„asj^e^ifjed^vJhe 

desjiQg ^ and 

means for utilizing the map to identify on which virtual network to forward 
the data messages from the re ceiving node through the gateway to the 
destination node b^sed on the des^ 
assQciated.wJth.the destb 

support forwarding of data messages through the receiving node. 
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45. (Currently Amended) In a physical network supporting virtual private network 
connections terminating at customer edge routers coupled to a service provider 
network, a method comprising: 

at a first customer edge router: 

receiving a range of d^stination_network addresses associated with 

host computers coupled to the first customer edge router; 

in addition to receiving the range of desti nation. network addresses, 
receiving a security gateway identifier associated with a second customer edge 
router of the service provider network; 

generating and transmitting a notification message including the range of 
destination network addresses and the security gateway identifier to the second 
customer edge router; and 

at the second customer edge router: 

receiving the notification message; 

based on contents of the notification message, generating a map to 
include the range of d estjriatjorj, network addresses and a corresponding 
virtual private network connection between the second customer edge 
router and first customer edge router; and 

prior to forwarding data messages through the second customer 
edge router to a computer having a destination, network address in the 
range of destination network addresses, utilizing the map to identify on 
which virtual private network to forward the data messages. 

46. (Currently Amended) A method as in claim 1 further comprising: 

generating a map at the second node based on the destination network 
address information and the corresponding gateway identifier of the gateway for 
routing of messages destined for the at least one host computer via the gateway 
identifier, the second node supporting forwarding of the messages to the at least 
one host computer through the gateway as specified by the corresponding 
gateway identifier. 
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47. (Currently Amended) A method as in claim 2, wherein transmitting the notification 
message to the second node includes: 

transmitting the notification message from a first customer edge node 
through a path including a service provider network to a second customer edge 
node, the second customer edge node configured to utilize the destination 
network address information and the corresponding gateway identifier to create a 
map specifying the gateway in the physical network as specified by the 
corresponding gateway identifier on which to forward messages from the second 
customer edge node through the service provider network to the first customer 
edge node to the at least one host computer. 

48. (Previously Presented) A method as in claim 47, wherein transmitting the 
notification message from the first customer edge node through the path 
including the service provider network to the second customer edge node 
includes: 

transmitting the notification message to a first service provider edge router 
in the service provider network, the first service provider edge router configured 
to distribute the notification message to multiple other service provider edge 
routers in the service provider network. 



49. (Currently Amended) A method as in claim 48, wherein each of the multiple other 
service provider edge routers in the service provider network is configured to 
identify which virtual private network the corresponding gateway identifier is 
associated with for purposes of advertising the destination network address 
information and the corresponding gateway identifier to appropriate customer 
edge nodes, a given provider edge router of the other service provider edge 
routers configured to receive the notification message from the first service 
provider edge router and forward the destination network address information 
and the corresponding gateway identifier to the second customer edge router. 
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50. (Previously Presented) A method as in claim 49, wherein the given service 
provider edge router is configured to determine a virtual private network to which 
the notification message pertains based on use of a route target extended 
community attribute. 

51 . (Previously Presented) A method as in claim 47 further comprising: 

maintaining at least one encryption key in the map to enable the second 
customer edge node to identify how to encrypt information transmitted to the at 
least one host computer. 

52. (New) A computer system as in claim 31 , wherein the virtual network connection 
between the receiving node and sending node is a first virtual network 
connection of the multiple virtual network connections on which to forward data 
from the receiving node through the sending node to the destination node; 

wherein the destination node is a first destination host computer of 
multiple destination host computers to which the sending node serves as a pass- 
through node for forwarding data received from the receiving node; 

wherein the notification message is a first notification message; and 
wherein the corresponding gateway identifier is a first gateway identifier. 

53. (New) A computer system as in claim 52 further supporting operations of: 

receiving a second notification message from the sending node of the 
physical network, the second notification message including destination network 
address information of a second destination node and a second gateway 
identifier of a second gateway of the physical network, the second destination 
node being a second destination host computer of the multiple destination host 
computers; 

based on contents of the second notification message, modifying the map 
at the receiving node to include the second destination network address 
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information, the second gateway identifier, and configuration data identifying at 
least part of a second virtual network connection between the receiving node and 
the sending node on which to forward data messages through the second 
gateway to the second destination node as specified by the second destination 
network address information; and 

utilizing the map to select the second virtual network connection of the 
multiple virtual networks to forward a given received data message from the 
receiving node through the gateway to the second destination node based on 
identifying that the given received data message includes a destination network 
address equivalent to the second destination network address information in the 
map. 

54. (New) A computer system as in claim 53, wherein the receiving node is a first 
customer edge router and the sending node is a second customer edge router in 
a service provider network; and wherein the first destination host computer and 
the second destination host computer reside external to the service provider 
network. 

55. (New) A method as in claim 21 further comprising: 

based on receiving multiple notification messages from the sending node: 

maintaining the map at the receiving node to include destination 
network address information for a first destination host computer and a 
first corresponding virtual network connection on which to forward data 
destined for the first destination host computer through the sending node 
to the first destination host computer; and 

maintaining the map at the receiving node to include destination 
network address information for a second destination host computer and a 
second corresponding virtual network connection on which to forward data 
destined for the second destination host computer through the sending 
node to the second destination host computer. 
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56. (New) A method as in claim 54 further comprising: 

receiving first data at the receiving node, the first data having a 
destination network address specifying the first destination host computer as a 
respective recipient to which the first data is directed; 

utilizing the map to identify the first corresponding virtual network 
connection as a path on which to forward the first data to the first destination host 
computer from the receiving node over the first virtual network connection to the 
sending node for further transmission of the first data from the sending node to 
the first destination host computer; 

receiving second data at the receiving node, the second data having a 
destination network address specifying the second destination host computer as 
a respective recipient to which the second data is directed; and 

utilizing the map to identify the second corresponding virtual network 
connection as a path on which to forward the second data to the second 
destination host computer from the receiving node over the second virtual 
network connection to the sending node for further transmission of the second 
data from the sending node to the second destination host computer. 

57. (New) A method as in as in claim 56, wherein the receiving node is a first 
customer edge router and the sending node is a second customer edge router of 
a service provider network; and 

wherein the first destination host computer and the second destination 
host computer reside external to the service provider network. 



